secret_keys_rails 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 59a7a3c0cdf8e3bfc3404976d8abd554835ec5e7de3b118c405a721d6754fb92
+  data.tar.gz: 780e597db65702e0133aadef39e63ed4517e13b9eef007d0b5d0ed438b05501b
+SHA512:
+  metadata.gz: 4ae600744e21eebc2f5ba171e4820a76f8aa68e6c3b6525cddb40eae5ce50c0dd7c9962e2241eaea062906cc85ffcdc2d7b746752a803c2d7952b7130e148f90
+  data.tar.gz: bcc0a28007499a9299b519bb472b09f0019c7cfd1feba19df291d3f1738e72395b29bbe0dfaf64b2f5b24c5d279dc3d36467d55cc6529c5341ab9a4df0d44313

data/.github/workflows/main.yml

@@ -0,0 +1,42 @@
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["2.5", "2.6", "2.7"]
+        rails: ["5.0", "5.1", "5.2", "6.0"]
+        include:
+          - ruby: "2.4"
+            rails: "4.2"
+    name: "test (Ruby ${{ matrix.ruby }}, Rails ${{ matrix.rails }})"
+    env:
+      BUNDLE_JOBS: 4
+      BUNDLE_RETRY: 3
+      BUNDLE_PATH: vendor/bundle
+      BUNDLE_CLEAN: "true"
+      BUNDLE_GEMFILE: gemfiles/rails_${{ matrix.rails }}.gemfile
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: Bundle Cache
+        uses: actions/cache@v1
+        with:
+          path: vendor/bundle
+          key: ${{ runner.os }}-${{ matrix.rails }}-gems-${{ hashFiles(env.BUNDLE_GEMFILE) }}
+          restore-keys: ${{ runner.os }}-${{ matrix.rails }}-gems-
+      - name: Bundler Downgrade
+        run: |
+          gem uninstall bundler -x
+          gem install bundler -v "< 2" --no-document
+        if: ${{ matrix.rails == '4.2' }}
+      - name: Bundle Install
+        run: bundle install
+      - name: Test
+        run: bundle exec rake test

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/gemfiles/.bundle
+/gemfiles/*.lock

data/.travis.yml

@@ -0,0 +1,6 @@
+---
+language: ruby
+cache: bundler
+rvm:
+  - 2.7.0
+before_install: gem install bundler -v 2.1.2

data/Appraisals

@@ -0,0 +1,20 @@
+appraise "rails-6.0" do
+  gem "rails", "~> 6.0.0"
+end
+
+appraise "rails-5.2" do
+  gem "rails", "~> 5.2.0"
+end
+
+appraise "rails-5.1" do
+  gem "rails", "~> 5.1.0"
+end
+
+appraise "rails-5.0" do
+  gem "rails", "~> 5.0.0"
+end
+
+appraise "rails-4.2" do
+  gem "rails", "~> 4.2.0"
+  gem "sprockets", "< 4"
+end

data/CHANGELOG.md

@@ -0,0 +1,6 @@
+# SecretKeysRails Change Log
+
+## 0.1.0 - 2020-05-26
+
+### Added
+- Initial release.

data/Gemfile

@@ -0,0 +1,27 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in secret_keys_rails.gemspec
+gemspec
+
+gem "rake", "~> 12.0"
+
+# Tests
+gem "minitest", "~> 5.0"
+gem "minitest-reporters", "~> 1.4.2"
+
+# Run each test in isolation, so we can better test how changes would affect
+# the app loading.
+gem "minitest-fork_executor", "~> 1.0.1"
+
+# Run against multiple Rails versions.
+gem "appraisal", "~> 2.2.0"
+
+# Perform tests inside a Rails app, so we can simulate how this plugin
+# interacts with application loading.
+gem "combustion", "~> 1.3.0"
+
+# Test how this gem interacts with other gems inside the Combustion Rails test
+# app.
+group :test_app do
+  gem "config", "~> 2.2.1"
+end

data/Gemfile.lock

@@ -0,0 +1,212 @@
+PATH
+  remote: .
+  specs:
+    secret_keys_rails (0.1.0)
+      ice_nine
+      rails (>= 4)
+      secret_keys
+      thor
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailbox (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activejob (= 6.0.3.1)
+      activerecord (= 6.0.3.1)
+      activestorage (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
+      mail (>= 2.7.1)
+    actionmailer (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      actionview (= 6.0.3.1)
+      activejob (= 6.0.3.1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (6.0.3.1)
+      actionview (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
+      rack (~> 2.0, >= 2.0.8)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activerecord (= 6.0.3.1)
+      activestorage (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
+      nokogiri (>= 1.8.5)
+    actionview (6.0.3.1)
+      activesupport (= 6.0.3.1)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.3.1)
+      activesupport (= 6.0.3.1)
+      globalid (>= 0.3.6)
+    activemodel (6.0.3.1)
+      activesupport (= 6.0.3.1)
+    activerecord (6.0.3.1)
+      activemodel (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
+    activestorage (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activejob (= 6.0.3.1)
+      activerecord (= 6.0.3.1)
+      marcel (~> 0.3.1)
+    activesupport (6.0.3.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    ansi (1.5.0)
+    appraisal (2.2.0)
+      bundler
+      rake
+      thor (>= 0.14.0)
+    builder (3.2.4)
+    combustion (1.3.0)
+      activesupport (>= 3.0.0)
+      railties (>= 3.0.0)
+      thor (>= 0.14.6)
+    concurrent-ruby (1.1.6)
+    config (2.2.1)
+      deep_merge (~> 1.2, >= 1.2.1)
+      dry-validation (~> 1.0, >= 1.0.0)
+    crass (1.0.6)
+    deep_merge (1.2.1)
+    dry-configurable (0.11.5)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.4, >= 0.4.7)
+      dry-equalizer (~> 0.2)
+    dry-container (0.7.2)
+      concurrent-ruby (~> 1.0)
+      dry-configurable (~> 0.1, >= 0.1.3)
+    dry-core (0.4.9)
+      concurrent-ruby (~> 1.0)
+    dry-equalizer (0.3.0)
+    dry-inflector (0.2.0)
+    dry-initializer (3.0.3)
+    dry-logic (1.0.6)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.2)
+      dry-equalizer (~> 0.2)
+    dry-schema (1.5.1)
+      concurrent-ruby (~> 1.0)
+      dry-configurable (~> 0.8, >= 0.8.3)
+      dry-core (~> 0.4)
+      dry-equalizer (~> 0.2)
+      dry-initializer (~> 3.0)
+      dry-logic (~> 1.0)
+      dry-types (~> 1.4)
+    dry-types (1.4.0)
+      concurrent-ruby (~> 1.0)
+      dry-container (~> 0.3)
+      dry-core (~> 0.4, >= 0.4.4)
+      dry-equalizer (~> 0.3)
+      dry-inflector (~> 0.1, >= 0.1.2)
+      dry-logic (~> 1.0, >= 1.0.2)
+    dry-validation (1.5.0)
+      concurrent-ruby (~> 1.0)
+      dry-container (~> 0.7, >= 0.7.1)
+      dry-core (~> 0.4)
+      dry-equalizer (~> 0.2)
+      dry-initializer (~> 3.0)
+      dry-schema (~> 1.5)
+    erubi (1.9.0)
+    globalid (0.4.2)
+      activesupport (>= 4.2.0)
+    i18n (1.8.2)
+      concurrent-ruby (~> 1.0)
+    ice_nine (0.11.2)
+    loofah (2.5.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    marcel (0.3.3)
+      mimemagic (~> 0.3.2)
+    method_source (1.0.0)
+    mimemagic (0.3.5)
+    mini_mime (1.0.2)
+    mini_portile2 (2.4.0)
+    minitest (5.14.1)
+    minitest-fork_executor (1.0.1)
+      minitest
+    minitest-reporters (1.4.2)
+      ansi
+      builder
+      minitest (>= 5.0)
+      ruby-progressbar
+    nio4r (2.5.2)
+    nokogiri (1.10.9)
+      mini_portile2 (~> 2.4.0)
+    rack (2.2.2)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails (6.0.3.1)
+      actioncable (= 6.0.3.1)
+      actionmailbox (= 6.0.3.1)
+      actionmailer (= 6.0.3.1)
+      actionpack (= 6.0.3.1)
+      actiontext (= 6.0.3.1)
+      actionview (= 6.0.3.1)
+      activejob (= 6.0.3.1)
+      activemodel (= 6.0.3.1)
+      activerecord (= 6.0.3.1)
+      activestorage (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
+      bundler (>= 1.3.0)
+      railties (= 6.0.3.1)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.20.3, < 2.0)
+    rake (12.3.3)
+    ruby-progressbar (1.10.1)
+    secret_keys (1.0.0.pre)
+    sprockets (4.0.0)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.1)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    thor (1.0.1)
+    thread_safe (0.3.6)
+    tzinfo (1.2.7)
+      thread_safe (~> 0.1)
+    websocket-driver (0.7.2)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.4)
+    zeitwerk (2.3.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  appraisal (~> 2.2.0)
+  combustion (~> 1.3.0)
+  config (~> 2.2.1)
+  minitest (~> 5.0)
+  minitest-fork_executor (~> 1.0.1)
+  minitest-reporters (~> 1.4.2)
+  rake (~> 12.0)
+  secret_keys_rails!
+
+BUNDLED WITH
+   1.17.3

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Nick Muerdter
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,152 @@
+# SecretKeysRails
+
+[![CI](https://github.com/GUI/secret_keys_rails/workflows/CI/badge.svg)](https://github.com/GUI/secret_keys_rails/actions?workflow=CI)
+
+An alternative to Rails encrypted credentials that uses the [SecretKeys](https://github.com/bdurand/secret_keys) library. The primary difference this offers versus the default Rails encrypted credentials strategy is that this uses an encrypted file format that only encrypts the values of the file (the hash keys are unencrypted). This allows for easier git diffs/merges while still keeping the secret values encrypted (but the overall structure of the file will not be encrypted). This gem provides some convenience wrappers on top of the SecretKeys library for integration with Rails applications.
+
+As an example, the encrypted version of:
+
+```yml
+foo: bar
+baz: qux
+```
+
+Might be encrypted as:
+
+```yml
+".encrypted":
+  ".salt": 82acce8beeeb422f
+  ".key": "$AES$:AJedc/6fDmjRHyh8Ln3K5y/WDzmbQVAsPWkDOFMLpaERVpKPS4I"
+  foo: "$AES$:d3mPCOkdfcWAD6BJGjvZT00BtKqAtLVKNvrlE191qg"
+  baz: "$AES$:t05Yel2BwiacEnsIXnnVoqTyXLsXU6oWZbSG7kOIDQ"
+```
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem "secret_keys_rails"
+```
+
+And then execute:
+
+```
+bundle install
+```
+
+## Usage
+
+### Creating or Editing Secrets
+
+To open an interactive editor to create or edit the default encrypted `config/secret_keys.yml` file:
+
+```
+rake secret_keys:edit
+```
+
+All string values you enter will be encrypted after saving and closing this editing session.
+
+If editing the file for the first time, an encryption key will be generated for you and saved to `config/secret_keys.yml.key`. This encryption key should be kept private and only shared to users that need to decrypt the encrypted values.
+
+### Showing Secrets
+
+To view all the encrypted secrets in unencrypted form for the default `config/secret_keys.yml` file:
+
+```
+rake secret_keys:show
+```
+
+### Using Secrets
+
+Unencrypted secrets are available in your application via the `SecretKeysRails.secrets` hash. This hash is an instance of [`ActiveSupport::HashWithIndifferentAccess`](https://api.rubyonrails.org/classes/ActiveSupport/HashWithIndifferentAccess.html), so keys can be accessed as either symbols or strings.
+
+```ruby
+# Symbol or strings can be used for accessing keys.
+SecretKeysRails.secrets[:some_api_key]
+SecretKeysRails.secrets["some_api_key"]
+
+# Use fetch to raise an error if the key isn't present.
+SecretKeysRails.secrets.fetch(:some_api_key)
+
+# Other standard Hash methods can be used for access, lig dig.
+SecretKeysRails.secrets.dig(:some_api_key)
+```
+
+### Encryption Key
+
+In order to decrypt the secrets, the encryption key must be set. The encryption key may either be stored in the `config/secret_keys.yml.key` file or set in the `SECRET_KEYS_ENCRYPTION_KEY` environment variable.
+
+By default, if the encryption key is not set, then `SecretKeysRails.secrets` will return an empty hash. If you want to require the encryption key be set, then you can change the [`SecretKeysRails.require_encryption_key`](#secretkeysrailsrequire_encryption_key) setting to raise an error if the encryption key is not set.
+
+### Environment Specific Secrets
+
+The commands support passing an `--environment` option to create an environment specific override. That override will take precedence over the global `config/secret_keys.yml` file when running in that environment. So:
+
+```
+rake secret_keys:edit -- --environment development
+```
+
+will create `config/secret_keys/development.yml` with the corresponding encryption key in `config/secret_keys/development.yml.key` if the credentials file doesn't exist.
+
+The encryption key can also be put in `ENV["SECRET_KEYS_ENCRYPTION_KEY"]`, which takes precedence over the file encryption key.
+
+In addition to that, the default credentials lookup paths can be overridden through the [`SecretKeysRails.secrets_path`](#secretkeysrailssecrets_path) and [`SecretKeysRails.key_path`](#secretkeysrailskey_path) settings.
+
+## Configuration
+
+You may adjust RailsSecretKeys configuration by adding a `config/initializers/secret_keys_rails.rb` file with setting changes. Note that the initializer must exist at this path to be properly loaded (this ensures that RailsSecretKeys is available early on in the Rails load process, so other parts of Rails and other gems can integrate with it).
+
+#### `SecretKeysRails.require_encryption_key`
+
+Raise an error if the encryption key isn't set.
+
+```ruby
+SecretKeysRails.require_encryption_key = true # Defaults to `false`
+```
+
+#### `SecretKeysRails.secrets_path`
+
+Set a custom path to the secret keys encrypted file.
+
+```ruby
+SecretKeysRails.secret_path = "config/my_keys.yml" # Defaults to `config/secret_keys/<ENV>.yml` or `config/secret_keys.yml`
+```
+
+#### `SecretKeysRails.key_path`
+
+Set a custom path to the encryption key path.
+
+```ruby
+SecretKeysRails.key_path = "config/my_keys.yml.key" # Defaults to `config/secret_keys/<ENV>.yml.key` or `config/secret_keys.yml.key`
+```
+
+## Design
+
+The underlying [SecretKeys](https://github.com/bdurand/secret_keys) library is more flexible in a few ways. This gem is slightly more opinionated for integration with Rails, and we attempt to more closely match the behavior of the default Rails encrypted credentials experience. The primary differences are:
+
+- The secret keys files are always stored as YAML.
+- The secret keys files exist at specific paths (`config/secret_keys.yml` or `config/secrets_keys/<ENV>.yml`).
+- The encryption key can be read from a specific path (`config/secret_keys.yml.key` or `config/secrets_keys/<ENV>.yml.key`).
+- All values in the file will be encrypted.
+- An interactive edit command is supplied for editing the decrypted file.
+- Keys are returned as a deeply frozen `ActiveSupport::HashWithIndifferentAccess`.
+
+## Known Limitations
+
+- Only string values will be encrypted. Numbers, booleans, and null values will not be encrypted.
+- Comments in the YAML file will be stripped.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/GUI/secret_keys_rails.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,11 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+  t.warning = false
+end
+
+task :default => :test

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "secret_keys_rails"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/secret_keys_rails

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+
+require "secret_keys_rails/commands/secret_keys_command"
+
+rails_root = if ENV["RAILS_ROOT"]
+  Pathname.new(ENV["RAILS_ROOT"]).expand_path
+elsif File.exist?(File.join(Dir.pwd, "config/environment.rb"))
+  Pathname.new(Dir.pwd)
+elsif ENV["BUNDLE_GEMFILE"] && File.exist?(File.expand_path("../config/environment.rb", ENV["BUNDLE_GEMFILE"]))
+  Pathname.new(File.expand_path("..", ENV["BUNDLE_GEMFILE"]))
+else
+  Pathname.new(Dir.pwd).expand_path
+end
+
+Dir.chdir(rails_root) do
+  SecretKeysRails::Commands::SecretKeysCommand.start(ARGV)
+end

data/gemfiles/rails_4.2.gemfile

@@ -0,0 +1,18 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rake", "~> 12.0"
+gem "minitest", "~> 5.0"
+gem "minitest-reporters", "~> 1.4.2"
+gem "minitest-fork_executor", "~> 1.0.1"
+gem "appraisal", "~> 2.2.0"
+gem "combustion", "~> 1.3.0"
+gem "rails", "~> 4.2.0"
+gem "sprockets", "< 4"
+
+group :test_app do
+  gem "config", "~> 2.2.1"
+end
+
+gemspec path: "../"

data/gemfiles/rails_5.0.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rake", "~> 12.0"
+gem "minitest", "~> 5.0"
+gem "minitest-reporters", "~> 1.4.2"
+gem "minitest-fork_executor", "~> 1.0.1"
+gem "appraisal", "~> 2.2.0"
+gem "combustion", "~> 1.3.0"
+gem "rails", "~> 5.0.0"
+
+group :test_app do
+  gem "config", "~> 2.2.1"
+end
+
+gemspec path: "../"

data/gemfiles/rails_5.1.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rake", "~> 12.0"
+gem "minitest", "~> 5.0"
+gem "minitest-reporters", "~> 1.4.2"
+gem "minitest-fork_executor", "~> 1.0.1"
+gem "appraisal", "~> 2.2.0"
+gem "combustion", "~> 1.3.0"
+gem "rails", "~> 5.1.0"
+
+group :test_app do
+  gem "config", "~> 2.2.1"
+end
+
+gemspec path: "../"

data/gemfiles/rails_5.2.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rake", "~> 12.0"
+gem "minitest", "~> 5.0"
+gem "minitest-reporters", "~> 1.4.2"
+gem "minitest-fork_executor", "~> 1.0.1"
+gem "appraisal", "~> 2.2.0"
+gem "combustion", "~> 1.3.0"
+gem "rails", "~> 5.2.0"
+
+group :test_app do
+  gem "config", "~> 2.2.1"
+end
+
+gemspec path: "../"

data/gemfiles/rails_6.0.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rake", "~> 12.0"
+gem "minitest", "~> 5.0"
+gem "minitest-reporters", "~> 1.4.2"
+gem "minitest-fork_executor", "~> 1.0.1"
+gem "appraisal", "~> 2.2.0"
+gem "combustion", "~> 1.3.0"
+gem "rails", "~> 6.0.0"
+
+group :test_app do
+  gem "config", "~> 2.2.1"
+end
+
+gemspec path: "../"

data/lib/secret_keys_rails.rb

@@ -0,0 +1,119 @@
+require "active_support/core_ext/hash/indifferent_access"
+require "ice_nine"
+require "secret_keys"
+require "secret_keys_rails/errors"
+require "secret_keys_rails/version"
+
+module SecretKeysRails
+  @secrets = nil
+  @require_encryption_key = false
+  @secrets_path = nil
+  @key_path = nil
+  class << self
+    attr_accessor :require_encryption_key
+    attr_writer :secrets_path
+    attr_writer :key_path
+
+    def secrets_path(env = nil)
+      if @secrets_path
+        Pathname.new(@secrets_path)
+      elsif env
+        Pathname.new("config/secret_keys/#{env}.yml")
+      else
+        Pathname.new("config/secret_keys.yml")
+      end
+    end
+
+    def key_path(env = nil)
+      if @key_path
+        Pathname.new(@key_path)
+      elsif env
+        Pathname.new("config/secret_keys/#{env}.yml.key")
+      else
+        Pathname.new("config/secret_keys.yml.key")
+      end
+    end
+
+    def key(env = nil)
+      key = nil
+
+      if ENV["SECRET_KEYS_ENCRYPTION_KEY"]
+        key = ENV["SECRET_KEYS_ENCRYPTION_KEY"]
+      else
+        path = self.key_path(env)
+        if File.exist?(path)
+          key = File.read(path).strip
+        end
+      end
+
+      if !key && self.require_encryption_key
+        raise MissingKeyError.new("Missing encryption key to decrypt file with. Ask your team for your master key and write it to #{self.key_path(env)} or put it in the ENV['SECRET_KEYS_ENCRYPTION_KEY'].")
+      end
+
+      key
+    end
+
+    def secrets
+      unless @secrets
+        raise NotLoadedError.new("Secrets have not been loaded. Rails should automatically load the secrets on startup.")
+      end
+
+      @secrets
+    end
+
+    def load
+      # Determine whether we should try to load the environment-specific secret
+      # keys file (eg, config/secret_keys/ENV.yml), or whether we should use the
+      # default file (config/secret_keys.yml).
+      secrets_path = nil
+      key = nil
+      if Pathname.new("config/secret_keys/#{::Rails.env}.yml").exist?
+        secrets_path = self.secrets_path(::Rails.env)
+        key = self.key(::Rails.env)
+      else
+        secrets_path = self.secrets_path
+        key = self.key
+      end
+
+      # Decrypt the file with the SecretKeys library.
+      if secrets_path.exist? && key
+        secrets = SecretKeys.new(secrets_path, key).to_h
+      else
+        secrets = {}
+      end
+
+      # Use a HashWithIndifferentAccess for easier key access, and also deep
+      # freeze the object to prevent unintended modifications of the secrets at
+      # runtime.
+      @secrets = IceNine.deep_freeze(secrets.with_indifferent_access)
+
+      # If there is a `secret_key_base` secret present, then use that for the
+      # default Rails secret_key_base definition (depending on Rails version,
+      # this can be read out of a few different places).
+      if @secrets.key?(:secret_key_base)
+        if ::Rails.application.respond_to?(:credentials)
+          Rails.application.credentials.secret_key_base = @secrets.fetch(:secret_key_base)
+        end
+        if ::Rails.application.respond_to?(:secrets)
+          Rails.application.secrets.secret_key_base = @secrets.fetch(:secret_key_base)
+        end
+        if ::Rails.application.config.respond_to?(:secret_key_base=)
+          Rails.application.config.secret_key_base = @secrets.fetch(:secret_key_base)
+        end
+      end
+    end
+
+    def read(env = nil)
+      secrets_path = self.secrets_path(env)
+      unless secrets_path.exist?
+        raise MissingSecretsError.new("File '#{secrets_path}' does not exist. Use `rake secret_keys:edit` to create it.")
+      end
+
+      SecretKeys.new(secrets_path, self.key(env))
+    end
+  end
+end
+
+if defined?(::Rails)
+  require "secret_keys_rails/railtie"
+end

data/lib/secret_keys_rails/commands/secret_keys_command.rb

@@ -0,0 +1,123 @@
+require "secret_keys_rails"
+require "thor"
+require "securerandom"
+require "yaml"
+
+module SecretKeysRails
+  module Commands
+    class SecretKeysCommand < Thor
+      include Thor::Actions
+
+      class_option :environment, :aliases => "-e", :type => :string, :desc => "Specifies the environment to run the command under (test/development/production)."
+
+      def self.exit_on_failure?
+        true
+      end
+
+      def self.rake_args
+        args = ARGV.dup
+        if args[0]
+          args[0] = args[0].sub(/\Asecret_keys:/, "")
+        end
+        if args[1] == "--"
+          args.delete_at(1)
+        end
+        args
+      end
+
+      desc "show", "Decrypt and show the unencrypted secret keys"
+      def show
+        SecretKeysRails.require_encryption_key = true
+        secrets = SecretKeysRails.read(options["environment"])
+        STDOUT.write(yaml_dump(secrets.to_h))
+      rescue SecretKeysRails::Error => e
+        STDERR.puts e.message
+        exit 1
+      end
+
+      desc "edit", "Opens a temporary file in `$EDITOR` with the decrypted contents to edit the encrypted credentials."
+      def edit
+        key = ensure_key(options["environment"])
+        ensure_secrets(key, options["environment"])
+        edit_secrets(options["environment"])
+
+      rescue SecretKeysRails::Error => e
+        STDERR.puts e.message
+        exit 1
+      end
+
+      private
+
+      def ensure_key(env = nil)
+        key = SecretKeysRails.key(env)
+        unless key
+          key_path = SecretKeysRails.key_path(env)
+          unless key_path.exist?
+            key = SecureRandom.hex(32)
+
+            puts "Adding #{key_path} to store the encryption key: #{key}"
+            puts ""
+            puts "Save this in a password manager your team can access."
+            puts ""
+            puts "If you lose the key, no one, including you, can access anything encrypted with it."
+
+            puts ""
+            create_file key_path, key
+            chmod key_path, 0600
+            puts ""
+
+            ignore = "\n/#{key_path}\n"
+            if File.exist?(".gitignore")
+              unless File.read(".gitignore").include?(ignore)
+                puts "Ignoring #{key_path} so it won't end up in Git history:"
+                puts ""
+                append_to_file ".gitignore", ignore
+                puts ""
+              end
+            else
+              puts "IMPORTANT: Don't commit #{key_path}. Add this to your ignore file:"
+              puts set_color(ignore, :green, :bold)
+            end
+          end
+        end
+
+        key
+      end
+
+      def ensure_secrets(key, env = nil)
+        secrets_path = SecretKeysRails.secrets_path(env)
+        unless secrets_path.exist?
+          secrets = SecretKeys.new({
+            "secret_key_base" => SecureRandom.hex(64),
+          }, key)
+          secrets.save(secrets_path.to_s)
+        end
+      end
+
+      def edit_secrets(env = nil)
+        secrets = SecretKeysRails.read(env)
+
+        secrets_path = SecretKeysRails.secrets_path(env)
+        tmp_file = "#{Process.pid}.#{secrets_path.basename.to_s}"
+        tmp_path = Pathname.new(File.join(Dir.tmpdir, tmp_file))
+        tmp_path.binwrite(yaml_dump(secrets.to_h))
+
+        system("#{ENV["EDITOR"]} #{tmp_path}")
+
+        updated_contents = tmp_path.binread
+        secrets.keys.each do |key|
+          secrets.encrypt!(key)
+        end
+        secrets.replace(YAML.safe_load(updated_contents))
+        secrets.keys.each do |key|
+          secrets.encrypt!(key)
+        end
+        secrets.save(secrets_path.to_s)
+      end
+
+      def yaml_dump(obj)
+        YAML.dump(obj).sub(/\A---\n/, "")
+      end
+    end
+  end
+end

data/lib/secret_keys_rails/errors.rb

@@ -0,0 +1,6 @@
+module SecretKeysRails
+  class Error < StandardError; end
+  class MissingKeyError < Error; end
+  class MissingSecretsError < Error; end
+  class NotLoadedError < Error; end
+end

data/lib/secret_keys_rails/railtie.rb

@@ -0,0 +1,31 @@
+require "rails/railtie"
+
+module SecretKeysRails
+  class Railtie < ::Rails::Railtie
+    # Load the secret keys as early as possible, so it can be used in other
+    # parts of the Rails configuration, like database.yml files.
+    config.before_configuration do
+      # Load the optional initializer manually (since this before_configuration
+      # phase is before when initializers are usually loaded), so that any
+      # customizations can be read in.
+      initializer = ::Rails.root.join("config", "initializers", "secret_keys_rails.rb")
+      require initializer if File.exist?(initializer)
+
+      SecretKeysRails.load
+    end
+
+    # Try to ensure our own "before_configuration" hook gets loaded before any
+    # others that have already been loaded, so that these secrets can be used
+    # as part of other gem's own before_configuration hooks (eg, in the
+    # "config" gem's settings.yml files).
+    load_hooks = ActiveSupport.instance_variable_get(:@load_hooks)
+    if load_hooks && load_hooks[:before_configuration]
+      load_hooks[:before_configuration] = load_hooks[:before_configuration].rotate(-1)
+    end
+
+    # Load our custom rake tasks.
+    rake_tasks do
+      load "secret_keys_rails/railtie/secret_keys.rake"
+    end
+  end
+end

data/lib/secret_keys_rails/railtie/secret_keys.rake

@@ -0,0 +1,13 @@
+namespace :secret_keys do
+  desc "Show the secret keys"
+  task :show do
+    require "secret_keys_rails/commands/secret_keys_command"
+    SecretKeysRails::Commands::SecretKeysCommand.start(SecretKeysRails::Commands::SecretKeysCommand.rake_args)
+  end
+
+  desc "Edit the secret keys"
+  task :edit do
+    require "secret_keys_rails/commands/secret_keys_command"
+    SecretKeysRails::Commands::SecretKeysCommand.start(SecretKeysRails::Commands::SecretKeysCommand.rake_args)
+  end
+end

data/lib/secret_keys_rails/version.rb

@@ -0,0 +1,3 @@
+module SecretKeysRails
+  VERSION = "0.1.0"
+end

data/secret_keys_rails.gemspec

@@ -0,0 +1,32 @@
+require_relative 'lib/secret_keys_rails/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "secret_keys_rails"
+  spec.version       = SecretKeysRails::VERSION
+  spec.authors       = ["Nick Muerdter"]
+  spec.email         = ["12112+GUI@users.noreply.github.com"]
+
+  spec.summary       = %q{Git-friendly encrypted secrets for Rails.}
+  spec.homepage      = "https://github.com/GUI/secret_keys_rails"
+  spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/GUI/secret_keys_rails"
+  spec.metadata["source_code_uri"] = "https://github.com/GUI/secret_keys_rails/tree/v#{SecretKeysRails::VERSION}"
+  spec.metadata["changelog_uri"] = "https://github.com/GUI/secret_keys_rails/blob/v#{SecretKeysRails::VERSION}/CHANGELOG.md"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "secret_keys"
+  spec.add_dependency "rails", ">= 4"
+  spec.add_dependency "ice_nine"
+  spec.add_dependency "thor"
+end

metadata

@@ -0,0 +1,128 @@
+--- !ruby/object:Gem::Specification
+name: secret_keys_rails
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Nick Muerdter
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-05-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: secret_keys
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4'
+- !ruby/object:Gem::Dependency
+  name: ice_nine
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- 12112+GUI@users.noreply.github.com
+executables:
+- secret_keys_rails
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/main.yml"
+- ".gitignore"
+- ".travis.yml"
+- Appraisals
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/secret_keys_rails
+- gemfiles/rails_4.2.gemfile
+- gemfiles/rails_5.0.gemfile
+- gemfiles/rails_5.1.gemfile
+- gemfiles/rails_5.2.gemfile
+- gemfiles/rails_6.0.gemfile
+- lib/secret_keys_rails.rb
+- lib/secret_keys_rails/commands/secret_keys_command.rb
+- lib/secret_keys_rails/errors.rb
+- lib/secret_keys_rails/railtie.rb
+- lib/secret_keys_rails/railtie/secret_keys.rake
+- lib/secret_keys_rails/version.rb
+- secret_keys_rails.gemspec
+homepage: https://github.com/GUI/secret_keys_rails
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/GUI/secret_keys_rails
+  source_code_uri: https://github.com/GUI/secret_keys_rails/tree/v0.1.0
+  changelog_uri: https://github.com/GUI/secret_keys_rails/blob/v0.1.0/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: Git-friendly encrypted secrets for Rails.
+test_files: []